CVE-2026-42485
Stack Buffer Overflow in AGL agl-service-can-low-level
Publication date: 2026-05-01
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agl | agl-service-can-low-level | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack buffer overflow in the uds-c library used by the agl-service-can-low-level component. Specifically, the send_diagnostic_request function allocates a 6-byte buffer on the stack but copies up to 7 bytes into it without proper bounds checking. This causes 1 to 4 bytes of overflow on the stack.
Because the payload_length field is not checked against the buffer size, an attacker can overflow the stack buffer. On 32-bit ARM automotive ECUs that lack stack canaries, this overflow can overwrite the return address, potentially allowing remote code execution (RCE).
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on affected 32-bit ARM automotive ECUs without stack canaries. An attacker could exploit the stack buffer overflow to overwrite the return address and execute arbitrary code.
Such an exploit could compromise the security and integrity of the automotive system, potentially allowing unauthorized control or disruption of vehicle functions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large or malformed UDS (Unified Diagnostic Services) diagnostic request payloads sent over the CAN service API, as the overflow occurs when payloads exceed the expected size.
Specifically, detection involves capturing and analyzing CAN network traffic for diagnostic requests where the payload length exceeds the 6-byte buffer limit, potentially up to 7 bytes or more.
- Use a CAN bus monitoring tool (e.g., can-utils) to capture traffic: `candump can0`
- Filter diagnostic request messages and inspect payload lengths for values greater than 6 bytes.
- Example command to capture and filter CAN frames with payload length > 6 bytes (assuming candump output parsing): `candump can0 | grep -E 'length=[7-9]'`
Additionally, system logs or application logs related to agl-service-can-low-level may show crashes or anomalies indicating exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the CAN service API to trusted sources only, to prevent unauthorized or malicious diagnostic requests.
Implement network-level filtering to block diagnostic requests with payloads exceeding the safe length (6 bytes) before they reach the vulnerable service.
If possible, update or patch the agl-service-can-low-level component or the uds-c library to a version that includes bounds checking on the payload length in the send_diagnostic_request function.
As a temporary workaround, enable any available security features such as stack canaries or address space layout randomization (ASLR) on the affected systems to reduce the risk of successful exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.